List Security?An Evolution and an Imperative
By Harriet Heyman
The customer list is one of an organization's most valuable assets. Protecting this asset—from theft, fraud, misuse—has always been a concern. The answers on how to keep a list secure used to be easy; today they are hard.
Even the reference to this asset has changed from "list" to "database," suggesting a broader set of information to protect. And as we advanced from rudimentary customer lists— once maintained on index cards—to keypunch, data entry, data scanning and data capture through electronic means, the safeguards have had to be constantly updated.
Early List Security
When I entered the list business some 30 years ago, lists were delivered on Cheshire labels. It was unlikely anyone would re-key the entire list, so a second use or outright theft was improbable. Renters of these mail lists understood they could use the list only once (unless multi-use agreements were negotiated) and, as a safeguard, list managers or owners planted a few decoy names and addresses to assure the renter would not trespass. List rental agreements in contract form emerged to spell out what was—and was not—permissible.
But once merge/purge processing, magnetic tape and large list brokerage firms came onto the scene, list owners were challenged to create new measures to prevent unauthorized use. Decoy systems became more sophisticated, so seeds could not be easily identified.
Generally, service bureaus that performed merge/purge, hygiene and mail streaming were slow to develop data security measures. Eventually, vendors came to realize their special responsibility in handling customer lists for their clients and began early data security measures, such as logging receipt of magnetic tapes and keeping the tapes in a secure location. Typically, the tapes were used once for the campaign, and then erased or returned to the list manager.
As direct mail costs soared over the years, marketers responded with targeting tools to increase response rates and return on investment. Statistical models were developed to better target; demographic or psychographic data was appended to customer records, and lists were sent to vendors for enhancement—and often to other outside firms to build models. These vendors, too, developed data security measures to protect lists in their custody.
List Security Now
Today, marketers are forced to better protect the consumer information they maintain on their marketing databases, either through regulation or consumer pressure. A recent law in California requires that if any breach occurs that violates information of an individual residing in that state, the marketer must inform that resident of the breach. The only exception is if the data have been encrypted.
Data security policies, written standard operating procedures (SOPs) and constant training in the SOPs are necessary to maintain safeguards when handling sensitive consumer data. When the Federal Trade Commission investigates a breach-of-data-security complaint or incident, it expects the organization to have written policies and procedures in place. If not, the outcome of the inquiry or investigation may not be favorable to the marketer.
Data security audits of service vendors who hold clients' customer data are common. Also, it is typical to have contracts with third-party vendors in place that contain detailed data security requirements and provide for chain-of-trust agreements to assure that sub-contractors maintain data protection measures equivalent to the primary vendor's, or even the marketer's.
With newer technology and shrinking time frames for data processing prior to campaigns, file transfer protocol (FTP) transfers via the Internet eliminate the shipping of tapes. Now, data are available to hand off to the next vendor electronically. Encryption is now widely employed, and practically necessary where data are "sensitive," to keep it secure when transferred via the Internet. Password management and systems monitoring, to control access to FTP sites, is also necessary.
With consumers' heightened sensitivity to the use of their personal information, it is clear that all entities that touch this data must use the latest, most effective tools and procedures to maintain data integrity.
Harriet Heyman is vice president and strategic consultant of Harte-Hanks, and serves on the Direct Marketing Association's Ethics Policy Committee. Heyman can be reached at (304) 754-7411, or firstname.lastname@example.org.